On Tue, 2016-07-19 at 00:09 +0200, Alexander Wirt wrote: > /var/cache/icinga2 > > > drwxr-x--- 2 nagios www-data 4096 Jul 18 23:33 icinga2 > Not writable, otherwise icinga classicui won't work ... > I didn't say user-owner, but just owner… and as your own quoting > > shows, > > it's group-owned by www-data. > Not writable, otherwise classicui won't work. > > Please tell me where you are seeing the security problem.
If it's not a problem when this can be read respectively written by anyone, why not allowing o+w respectively o+r? And as I've already said, the security problem is in that any other piece of software that runs inside the webserver context will have full access to at least the command socket, thus being able to control that. > > As I wrote, if one doesn't rund mod_php, but CGI or FPM, the > > effective > > user won't be www-data, and thus accessing the external command > > socket > > won't work. > > So in fact the webfrontends aren't able to send commands. :-( > They are with default setups. I don't see any policy or other thing in Debian, that would require people to use mod_php.... > > Anyway, if you insist on not allowing people a bit more powerful > > configuration choices, than please: > > - make at least DAEMON_CMDGROUP configurable for systemd-users, and > > - have a look on the security issues implied by anything running in > > the > > webserver's context being able access Icinga by default > They have to, otherwise it won't work. > > I consider this done. Well not really, as it still doesn't work... but I see that stubbornness (or one must possibly already assume intentionally placing obstacles in users' way when a fix would be pretty easy) hasn't changed so it would be just wasting my time, begging any further for a simple fix. Cheers.
smime.p7s
Description: S/MIME cryptographic signature